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Information  Systems  Security: 

A  Note  to  Security 
Educators 


The  role  of  the  security  educator  as  proponent  of  security  aware¬ 
ness  in  a  work-place  environment  that  includes  advanced  automated 
systems  is  constantly  expanding.  As  we  come  to  depend  more  and 
more  on  electronic  storage,  processing,  and  transmission  of  informa¬ 
tion,  members  of  our  employee  populations,  without  exception,  must 
be  informed  about  the  unique  threats  and  security  safeguards  that 
apply  to  the  modem  workplace. 

The  two  feature  articles  that  appear  in  this  issue  of  the  Bulletin 
have  been  selected  because  they  offer  useful  ideas  and  factual  informa¬ 
tion  that  you  might  include  in  a  security  educational  program.  The 
first  of  these,  “Defining  the  Threat  to  Information  Systems,”  could 
serve  as  the  basis  for  a  briefing  or  newsletter  feature  on  this  subject. 

In  either  form,  of  course,  it  should  be  edited,  supplemented,  and  other¬ 
wise  “tailored”  to  meet  the  needs  of  your  organization. 

Both  articles  originated  as  presentations  to  the  Conference  on 
Computer  Crime:  A  Peopleware  Problem,  held  at  the  Defense  Person¬ 
nel  Security  Research  Center,  Monterey,  California,  in  October,  1993. 
And  they  also  appear  in  the  proceedings  of  that  conference. 
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Defining  the  Threat  to  Information  Systems: 


A  Challenge  for 

Security 

Educators 


The  common  use  of  automated  information  systems 
components  in  the  modem  workplace  in  both  govern¬ 
ment  and  industry  and  the  continued  need  to  protect  in¬ 
formation  from  competing  interests  at  both  the  national 
and  corporate  level  has  made  necessary  (1)  the  applica¬ 
tion  of  new  security  countermeasures  for  automated  sys¬ 
tems,  and  (2)  additional  security  education  for  personnel 
having  access  to  these  systems.  Both  advanced  counter¬ 
measures  and  enhanced  security  education  are  based  on 
the  belief  that  there  is  a  persistent  “threat”  from  either 
external  or  internal  sources — a  threat  which  often  lacks 
clear  definition  in  terms  of  (a)  what  exactly  is  being 
threatened,  (b)  why  it  is  being  threatened,  (c)  where  the 
threat  is  coming  from,  (d)  how  might  it  be  carried  out, 
and  (e)  what  we  are  supposed  to  be  doing  to  prevent  it? 

Sound  familiar?  These  are  the  classic  questions  ad¬ 
dressed  by  security  educators  everywhere,  in  automated 
and  non-automated  environments  alike.  And  among  the 
historic  objectives  of  security  awareness  programs  in 
government  aimed  at  the  protection  of  classified  and 
sensitive  information  is  our  task  of  providing  credible 
answers  to  these  questions.  In  fact,  for  the  government 
security  educator,  never  has  the  need  to  define  a 
credible  external  threat  been  so  urgent  as  now,  follow¬ 
ing  the  collapse  of  the  Soviet  Empire  and  the  dismem¬ 
berment  of  communist  regimes.  We  are  constantly 
challenged  by  cleared  personnel  to  explain  why,  since 
the  KGB  is  no  more,  we  still  need  an  array  of  elaborate 
protective  measures. 

Developing  a  Strategy  for  INFOSEC  Awareness 

Therefore  the  central  purpose  of  this  article  is  to 
map  out  what  might  be  an  appropriate  strategy  for  a  se¬ 
curity  educator  (perhaps  like  yourself)  confronted  with 
the  new  challenge  of  giving  a  “computer  security  brief¬ 
ing”  or,  more  properly  stated,  educating  employees  in  in¬ 
formation  systems  security.  Before  attempting  to  do 
this,  I  must  ask  the  reader  to  consider  two  predictions 
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about  the  future  of  our  professional  role  regarding  secu¬ 
rity  awareness.  These  serve  as  stepping  off  points  for 
what  follows. 

One  prediction  is  that  educational  activities  related 
to  information  systems  security  in  the  future  will  be  car¬ 
ried  out  by  a  generalist  security  professional  who  does 
not  have  unique  or  technical  qualifications  in  automated 
information  systems,  computer  science,  or  electrical  en¬ 
gineering.  Just  as  paper  and  film  as  media  for  com¬ 
munication  have  been  taken  for  granted  in  the  past,  so  it 
is  that  in  the  modem  workplace,  moving  into  the  21st 
century,  the  use  of  electronic  media  and  computer 
processing  of  information  will  be  universally  accepted 
features  of  our  work. 

A  second  forecast  is  that  information  security  in 
any  type  of  environment  will  remain  essentially  a 
human  issue.  For  example,  we  can  spend  millions  on 
NSA  endorsed  “trusted  systems,”  but  if  the  people  who 
have  access  to  those  systems  are  not  trustworthy  (loyal, 
reliable,  and  aware),  it’s  all  for  nothing.  The  same  could 
be  said  if  they  don’t  know  when  or  how  to  apply  a 
specific  technical  security  countermeasure. 

One  implication  of  these  two  assumptions  about  the 
future  is  that  we  as  security  educators  are  now,  or  will 
be,  all  in  the  same  boat — sharing  reponsibilities  for  train¬ 
ing  and  awareness  of  personnel  in  the  modem 
automated  workplace,  and  that  the  protection  of  informa¬ 
tion,  whether  digitially  recorded  on  magnetic  media  or 
on  steno  pads,  is  a  people  problem. 

Four  messages  we  need  to  communicate 

Perhaps  the  most  difficult  aspect  of  this  new  educa¬ 
tional  challenge  is  how  to  approach  the  job:  what  is  im¬ 
portant  to  include  (and  not  to  include)  in  a  training  or 
awareness  program,  and  how  to  organize  that  material. 
What  follows  is,  in  my  opinion,  some  good  advice  about 
the  central  arguments  that  we  need  to  get  across  to  an 
often-times  skeptical  audience.* 


*Fur  many  of  these  ideas  we  are  indebted  to  security  educators  such  as  Joseph  Grau  at  the  Department  of  Defense  Security 
Institute,  and  more  recently  by  Captain  John  McCumber  of  the  Defense  Information  Systems  Agency  who  has  written  extensively 
on  informations  systems  security. 
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1.  “Information  systems  security”  is  no  more  than  information  security  for  the  modern 
workplace.  We  are  building  on  long-established  principles,  policies,  and  practices. 


The  conceptual  distinction  between  conventional  in- 
formation  security  and  “information  systems  security”  is 
fast  becoming  artificial.  At  best  it  has  been  a  convenient 
way  to  organize  the  work  of  security  professionals.  At 
its  worst,  it  perpetuates  the  myth  that  security  counter¬ 
measures  in  an  automated  environment  is  too  technical 
for  just  anybody  to  understand.  However,  what  has  been 
good  advice  to  security  educators  for  years  in  non- 
automated  environments  is  generally  still  valid.  But  the 
same  principles  may  have  to  be  described  with  new  ter¬ 
minology,  and  remedies  prescribed  in  the  form  of  new 
and  somewhat  different  countermeasures. 

Not  everybody  in  the  security  profession  is  happy 
about  this  idea.  At  the  1993  Department  of  Defense  Se¬ 
curity  Conference,  heated  and  anguished  objections 
were  raised  by  many  senior  security  officers  about  dis¬ 
cussing  AlS/computer  security  as  “INFOSEC.” 
Whichever  way  we  may  slice  up  the  policy  or  distribute 
the  procedural  duties  in  the  security  world,  the  fact 
remains  that  the  above  proposition  can  make  sense  to 
the  rank  and  file  employees  if  logically  explained.  Fur¬ 
thermore,  if  we  can  successfully  sell  the  idea,  this  will 
go  a  long  way  to  demythicize  security  countermeasures 
for  automated  systems  and  electronic  processing.  And 
as  a  result,  our  personnel  will  begin  to  see  information 
systems  security  as  more  of  a  human  issue  and  some¬ 
thing  they  are  empowered  to  support,  rather  than  as  too 
technical  to  understand. 

Getting  a  view  of  the  Big  Picture 

How  can  we  achieve  this  educational  objective? 
There  are  no  easy  answers.  But  of  particular  value,  not 
only  for  organizing  our  own  thinking  but  possibly  as  an 
instructional  device  itself,  is  the  three-dimensional  IN¬ 
FOSEC  Model  described  by  Air  Force  Captain  John  Mc- 
Cumber  in  his  September,  1991,  Security  Awareness 
Bulletin  article,  “Security  Measures  for  the  State-of-the- 
Art  Workplace.” 

This  model  as  outlined  can  be  applied  to  the  conven¬ 
tional  workplace  as  well  as  to  a  fully  automated  environ¬ 
ment.  McCumber  explains  that  information  in  any  of 
three  states  (transmission,  storage,  or  processing)  is  sub¬ 
ject  to  three  types  of  threat  (to  its  confidentiality,  in¬ 
tegrity,  and  its  availability  to  a  legitimate  user).  The 
threat,  if  succcessfully  carried  out  by  an  adversary, 
might  result  in  the  theft,  corruption,  or  destruction 
and/or  denial  of  access  to  a  legitimate  user. 

McCumber’ s  third  dimension  categorizes  security 
countermeasures  appropriate  for  each  state  and  each 
critical  characteristic.  The  countermeasures  also  have 


three  categories:  technology,  policy  &  practice,  and 
education.  What  we  end  up  with  is  a  three-dimensional 
map,  as  shown  below,  for  evaluating  the  security  effec¬ 
tiveness  of  any  information  system.  The  resulting  27 
cells  can  be  evaluated  independently,  each  with  its  own 
appropriate  security  countermeasures. 

While  useful  to  an  analyst  engaged  in  system  cer¬ 
tification  (which  apparently  was  McCumber’ s  original 
intent),  one  might  hesitate  to  employ  this  diagram  as  an 
instructional  aid  for  a  typical  audience  or  readership.  At 
first  glance,  it  looks  complicated,  and  it  is  somewhat  at 
odds  with  the  best  advice  of  seasoned  trainers:  The 
KISS  Principle  ("keep  it  simple  stupid"  or  you  lose  your 
audience).  And  there  are  simpler  variations  of  this 
model  that  have  potential  for  security  education.  In  the 
same  1991  Bulletin  article,  McCumber  offers  a  table 
showing  three  categories  of  countermeasures  in  which 
countermeasures  are  identified  for  each  of  three  states  of 
information.  This,  in  my  opinion,  does  have  potential  as 
a  way  to  get  people  thinking  about  how  they  can  protect 
information  in  an  automated  environment. 

But  more  importantly,  this  framework  provides  the 
opportunity  for  comparing  security  countermeasures  of 
all  types  including  the  traditional  world  of  paper,  pad¬ 
locks,  inkpads  and  file  cabinets.  Only  a  sampling  of  the 
total  inventory  of  countermeasures  for  the  workplace  is 
listed  above.  It  might  be  possible,  as  an  interesting  in¬ 
structional  exercise,  or  as  part  of  a  security  briefing,  to 
identify  comparable  security  procedures  and  measures 
for  a  non-automated  environment  for  each  counter¬ 
measure  appropriate  for  information  systems  security. 
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Layers  of  Security  Measures  by  Information  States 


TRANSMISSION 

STORAGE 

PROCESSING 

TECHNOLOGY 

STU-m 

Data  encryption  devices 

Code 

Parity  error  checks 

Access  codes 

Password  controls 

Physical  safeguards 
Intrusion  protection 

SCIF  construction 

Trusted  systems  (NSA) 
User  recognition  sys¬ 
tems 

Multi-level  processing 
Error  traps 

Anti-virus  software 

POLICY/ 

PRACTICE 

Data  encryption  standards 
Personnel  security 

User  access  policy 

User  authorization 
Approved  systems  (DIS) 
Physical  safeguards 
Approved  storage 

Personnel  security 

Access  control  policy 
Approved  systems 
(DIS) 

Audit  trails 

Personnel  security 

EDUCATION 

TRAINING 

AWARENESS 

COMSEC  training 

STU-in  indoctrination 

Security  indoctrination 
Physical  protection 
training 

Security  indoctrination 
Security  education 
Computer  security 
briefings 

Probably  the  logical  conclusion  to  this  exercise 
would  be  for  the  security  educator  to  reaffirm  the  basic 
principles  of  information  security  such  as  need-to-know, 
accountability,  control  of  access,  physical  protection, 
personal  safeguarding,  and  employee  responsibility  for 


reporting.  As  new  technologies  for  the  transmission, 
storage  and  processing  of  information  emerge,  we  simp¬ 
ly  add  new  and  technologically  appropriate  counter¬ 
measures  to  the  inventory. 


2.  Severe  damage  to  government  and  defense-related  information  by  both  internal  and 
external  offenders  has  occurred  in  the  very  recent  past.  It  can  happen  to  any  organiza¬ 
tion,  and  the  damage  can  be  significant. 


It  is  not  easy  to  find  reliable  case  studies  material 
for  use  in  briefings  or  awareness  publications  without  a 
systematic  coverage  of  news  sources.  But  unless  we  can 
show  that  the  lack  of  adequate  security  has  real  and  tan¬ 
gible  consequences,  our  programs  will  lack  credibility 
in  the  minds  of  our  target  audiences.  On  the  following 
two  pages  is  a  rough  attempt  to  list  the  more  important 
criminal  cases  or  events  which  have  affected  defense-re¬ 
lated  information  systems  since  1987.  Included  here  are 
only  those  events  which  have  come  to  public  knowledge 
through  media  coverage  with  a  few  notes  on  systems 
penetrated,  damage  or  compromise,  and  possible  motiva¬ 
tions.  Behind  each  entry  is  a  potentially  interesting  case 
study  that  might  be  fleshed  out  with  additional  research. 
Most,  but  not  all,  of  these  events  are  related  to  computer 
hacking — defined  in  the  1990s  as  illegal  or  un¬ 
authorized  access  to  a  system  or  network  using  tele¬ 
phonic  communication  from  a  remote  site. 


The  use  of  case  information  in  security  education  is 
a  long  and  honored  tradition  which  most  of  us  believe  is 
extremely  effective  if  handled  correctly.  We  have  seen 
in  the  past  that  one  of  the  best  ways  to  capture  the  atten¬ 
tion  of  an  audience  is  to  tell  them  stories,  particularly 
stories  about  the  sins  and  failings  of  people  just  like 
themselves  —  perhaps  for  the  same  reasons  people  love 
soap  operas.  Nevertheless,  these  stories  work  and  they 
serve  as  vehicles  for  several  teaching  objectives. 

The  discussion  of  classic  espionage  cases  in  secu¬ 
rity  awareness  briefings  and  video  products  brings  the 
foreign  intelligence  threat  and  the  act  of  espionage  into 
the  world  of  reality.  Furthermore,  by  showing  the  exten¬ 
sive  damage  to  national  security  resulting  from  each 
betrayal,  our  employees  are  (we  hope)  more  willing  to 
see  security  countermeasures  as  being  important  and 
worth  implementing  since  they  may  even  save  lives. 
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Name  (Age)  Date  Systems  Penetrated/Compromised  Damage/Compromise  Stated  Motivation 
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*  This  listing  is  based  on  a  database  search  of  public  media  reports  from  1987  to  the  present;  the  author  does  not  suggest  that  it  is  necessarily 


Thus  by  adopting  the  strategy  of  a  traditional  secu¬ 
rity  educator  who  wants  to  make  “the  threat”  credible  by 
talking  about  real  offenders,  and  by  a  regular  exploita¬ 
tion  of  media  sources  and  official  reports,  we  can  put  a 
human  face  on  computer  crime.  We  can  discuss,  for  ex¬ 
ample,  the  type  of  people  who  might  attempt  to 
sabotage  a  system  with  a  Trojan  horse  or  virus.  We  can 
get  an  idea  about  what  motivates  some  teenagers  to  cre¬ 
ate  havoc  in  some  of  the  most  extensive  research  net¬ 
works  in  the  nation. 

As  in  the  classic  espionage  cases,  each  of  these 
computer  crime  stories  offers  lessons  learned.  However, 


one  big  difference  between  the  two  categories  of  events 
is  that  while  in  almost  all  of  the  recent  classic  espionage 
cases  (John  Walker,  Thomas  Cavanagh,  William  Bell, 
James  Hall,  Larry  Wu  Tai  Chin)  betrayal  of  public  trust 
is  a  common  denominator,  this  is  much  less  typical  of 
computer  crime  cases  endangering  national  security 
where  the  perpetrator  was  never  authorized  access  to  the 
system  into  which  he  intruded.  There  are  two  or  three  in- 
side-jobs  listed  here,  but  in  most  of  these  events  the 
crime  is  “breaking  and  entering”  by  a  total  outsider  who 
can  do  enormous  damage  from  a  remote  location. 


3.  Foreign  intelligence  services  represent  only  one  of  several  sources  of  threat  to  our 
systems.  We  have  to  address  both  external  and  internal  threats. 


Referring  again  to  one  of  the  eternal  questions  that 
each  security  educator  is  duty  bound  to  answer,  “Where 
is  the  threat  coming  from?”  we  can  see  here  another  con¬ 
trast  between  classic  espionage  and  contemporary  com¬ 
puter  crime.  Whereas  the  former  events  nearly  always 
involve  foreign  interests  and  foreign  intelligence  ser¬ 
vices  at  some  point  in  the  activity,  computer  crime  en¬ 
dangering  national  security  rarely  is  associated  with  a 
foreign  intelligence  organization,  at  least  among  cases 
that  are  openly  acknowledged.  But  this  may  be  illusory; 
it  is  quite  conceivable  that  the  penetration  of  sensitive 
government  and  defense  contractor  systems  by  foreign 
intelligence  services  is  routinely  so  successful  that  it 
goes  unnoticed  or  is  not  openly  admitted. 

In  1986  press  reports  announced  the  probable  ex¬ 
ploitation  of  unclassified  but  sensitive  U.S.  defense-re¬ 
lated  data  through  a  Vienna-based  research  institute 
which  employed  both  Western  and  Soviet  Bloc  scien¬ 
tists.  This  was  done  by  conventional  long-distance  tele¬ 
phone  and  with  legitimate  access  procedures. 

The  only  publicly  known  instance  of  foreign  intel¬ 
ligence  involvement  in  a  hacking  scheme  was  seen  in 
the  case  of  the  West  German  Hackers  who  served  as  a 
conduit  for  sensitive  U.S.  Government  information 
going  to  the  KGB.  The  full  account  of  this  story  is  found 
in  Clifford  StolLs  entertaining  book,  The  Cuckoo* s  Egg: 
Tracking  a  Spy  through  the  Maze  of  Computer  Espio¬ 
nage.  In  an  entirely  different  category  is  the  case  of 
Michael  Peri,  who  physically  delivered  classified  floppy 
disks  and  a  computer  with  a  classified  file  on  the  hard 
drive  to  East  German  Intelligence  in  1989.  Of  the  other 
offenders  listed  here,  only  Kevin  Lee  Poulsen  was 
charged  under  the  espionage  code  for  having  illegally 
obtained  a  classified  document  (presumably  by 
electronic  transmission).  This  was  reported  to  have  been 
an  Air  Force  Tasking  Order,  containing  flight  orders  for 


Army  paratroopers  on  a  1987  military  exercise  at  Fort 
Bragg,  N.C. 

In  most  of  the  events  that  involve  the  penetration  of 
a  national-level  information  system,  what  we  do  see 
reported,  however,  is  an  act  committed  not  by  a  repre¬ 
sentative  of  foreign  interests  but  by  a  very  young  in¬ 
dividual  whose  motives  are  not  clear  and  who  may  have 
no  real  interest  in  providing  illegally  accessed  informa¬ 
tion  to  any  foreign  interest.  In  many  of  these  situations  it 
turned  out  that  the  greatest  threat  to  the  information 
posed  by  hackers  was  not  so  much  in  its  being  com¬ 
promised,  but  in  its  being  altered,  destroyed,  or  denied 
to  legitimate  users. 

One  can  see  in  the  cases  listed  here  the 
predominance  of  a  “domestic”  threat  (with  a  few  foreign 
penetrators)  acting  on  behalf  of  no  one  else.  But  in  most 
cases,  the  offenders  operate  from  outside  of  a  restricted 
access  system.  In  a  larger  number  of  computer  crime 
cases  in  which  private  sector  systems  and  data  are  tar¬ 
geted  for  illegal  profit  (not  included  in  the  listing),  the 
culprit  is  typically  an  “insider;”  that  is,  a  person  like 
logic  bomber  Michael  Lauffenberger  who  had 
authorized  access  to  the  system,  if  not  to  all  of  the  infor¬ 
mation  contained  in  that  system.  These  are  some  of  the 
significant  differences  and  similarities  between  what 
might  be  called  the  conventional  or  traditional  threat  to 
protected  information  by  foreign  intelligence  services 
on  one  hand  and  the  emerging  threat  to  information  sys¬ 
tems  on  the  other. 

Motivation:  why  do  they  do  it? 

While  governmental  and  independent  organizations 
report  annually  on  the  enormous  cost  to  private  sector 
firms  from  computer  crime  apparently  committed  for 
financial  gain,§  those  who  attack  and  penetrate  govern¬ 
ment  and  defense  conununity  systems  may  be  driven  by 
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far  more  complex  motives.  At  this  point  in  time,  sugges¬ 
tions  about  the  underlying  motivations  of  Herbert  Zinn, 
Mark  Abene,  the  Dutch  or  Australian  Hackers,  Kevin 
Poulsen,  and  others  is  guesswork.  However,  press 
reports  mention  such  things  as  intellectual  challenge, 
thrill,  ego  satisfaction,  a  craving  for  recognition  and 
prestige,  and  the  boosting  of  self-esteem  as  driving  for¬ 
ces. 

John  Markoff,  writing  in  the  New  York  Times 
quotes  one  unnamed  researcher  at  a  Silicon  Valley  re¬ 
search  institution  as  concluding  that  these  hackers  have 
an  anti-social  obsession.  In  recent  years  the  researcher 
offered  four  underground  hackers  salaried  programming 
jobs  in  an  effort  to  channel  their  energy  away  from  the 
destructive  use  of  computers.  In  each  case  the  experi¬ 
ment  failed: 

“They’re  misfits,  losers  or  troubled  individuals 
lacking  a  sense  of  duty  or  morals  ...  Every  single 
one  of  them  had  deep  psychological  problems.” 

To  better  examine  the  predisposition  to  this 
category  of  crime,  the  Conununity  Research  Center,  a 
group  of  Federal  agency  clinical  psychologists,  has  in¬ 
itiated  a  study  of  the  psychological  make-up  of  com¬ 
puter  offenders.  This,  like  CRC’s  ongoing  research  on 
espionage  felons  (Project  Slammer),  will  be  based  on  in- 
depth,  interviews  with  each  offender  under  clinical  con¬ 
ditions. 

What  can  be  said  to  our  employee  populations 
about  the  reality  of  the  external  threat  to  Infor¬ 
mation  systems? 


With  the  help  of  counterintelligence  professionals 
in  the  FBI,  DIA  and  other  agencies,  we  are  beginning  to 
put  together  a  response  to  this  question  that  is  both 
believable  to  our  employee  populations  and  factually  ac¬ 
curate.  Without  going  into  unnecessary  detail,  the  facts 
are  these:  While  the  KGB  in  name  is  gone,  the  GRU 
remains  active  and  the  post-Soviet  Russians  still  target 
critical  defense-related  information.  The  foreign  intel¬ 
ligence  threat  is  coming  at  us  from  diverse  sources — 
friend  and  foe  alike.  This  includes  organizational 
entities  which  are  not  nation-states:  international  cor¬ 
porations,  terrorist  groups,  rebel  factions,  and  organized 
crime.  High  on  the  list  of  targeted  information  is  ad¬ 
vanced  technology  having  military  application  which 
may  or  may  not  be  formally  classified.  Lastly,  we  know 
that  our  economic  competitors  overseas  work  very  close¬ 
ly  with  their  respective  national  intelligence  organiza¬ 
tions  to  acquire  our  protected  technologies.  And  there  is 
no  reason  to  believe  that  these  intelligence  services  have 
failed  to  take  advantage  of  human  talents  and  new  tech¬ 
nologies  that  can  be  mobilized  to  penetrate  our  informa¬ 
tion  systems. 

This  recent  redefinition  of  the  foreign  intelligence 
threat  for  the  1990s  and  beyond  is  relevant  to  the  issue 
of  information  systems  security  since  it  broadens  the 
range  of  possible  non-domestic  sources  about  which  we 
must  be  alert.  But  for  the  security  educator  who  is 
tasked  with  the  job  of  briefing  and  in  other  ways  educat¬ 
ing  co-workers,  supervisors,  and  executives  functioning 
in  an  automated  workplace,  this  is  only  part  of  the 
answer,  and  as  discussed  above,  the  source  of  the  threat 
is  only  one  of  the  several  awareness  issues  that  must  be 
addressed. 


4.  We  are  not  helpless  when  confronting  these  potential  threats  to  automated  systems. 
There  are  things  that  every  employee  can  do  to  minimize  the  risk  of  compromise  or  loss 
of  information. 


Having  informed  people  of  the  reality  of  a  threat, 
we  then  need  to  tell  them  what  they  can  do  about  it. 

This  is  always  one  of  the  themes  (or  should  be)  of  an  ef¬ 
fective  security  awareness  communication  to  employee 
populations  whose  members  have  the  responsibility  for 
safeguarding  classified  or  sensitive  information.  Regret¬ 
tably  some  security  educators  don’t  construct  for  their 
audiences  the  link  between  the  threat  to  information  and 
the  application  of  specific  security  countermeasures. 
Another  frequently  missing  element  in  security  educa¬ 


tion  is  specific  information  about  past  damage  from  se¬ 
curity  failures  and  potential  consequences  of  future  dis¬ 
asters.  All  the  more  reason  to  review  past  crime  and 
espionage  cases  where  the  damage  can  be  spelled  out  in 
dollars  or  military  consequences. 

Experienced  security  educators  tell  us  that  our  em¬ 
ployees  will  pay  attention  to  security  briefings  if  they 
are  provided  with  specific  information  that  is  concretely 
related  to  their  day-to-day  tasks  and  to  their  professional 
success.  What  follows  is  a  plan  for  discussing  on-the- 


§The  FBI  s  White-Collar  Crime  Section  reported  in  1993  that  their  caseload  for  computer  crime  has  quadrupled  in  the  last 
two  years.  The  Council  of  Better  Business  Bureaus  reports  that  U.S.  businesses  lose  $3  billion  to  $5  billion  annually  to  computer 
crime. 
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Threats  and  Security  Countermeasures  for  Informations  Systems 


Critical  Characteristics  Modus  Operandi  Security  Countermeasures 

of  Information  Subject  to  Threat  or  Criminal  Action 


1.  Confidentiality 


2.  Integrity 


3.  Availability 


Hacking  from  remote  location 
Unauthorized  access 
Insider  theft  of  media 
Illegal  sale  of  data/software 
Espionage  by  employee 
Electronic  eavesdropping 
Theft  of  passwords 

Hacking  from  remote  location 
Insider  sabotage 
Introduction  of  virus 
Alteration/deletion  of  data 


Introduction  of  worm  to  network 
Insider  sabotage 
Insertion  of  logic  bomb, 

trojan  horse,  virus,  bacteria 


Effective  access  codes 
Password  controls 
Personnel  security  measures 
Security  education 
Data  encryption 
Multi-level  processing 
Approved  systems 

Effective  access  codes 
Password  controls 
Personnel  security  measures 
Anti-virus  software 
Audit  trails 
Physical  security 

Access  controls 
Anti-virus  software 
Audit  trails 

Personnel  security  measures 


job  employee  responsibility  for  information  systems  se¬ 
curity.  In  this  table,  specific  ways  in  which  insider  or  ex¬ 
ternal  offenders  threaten  information  are  grouped 
according  to  which  of  three  critical  characteristics  of  in¬ 
formation  they  endanger:  confidentiality,  integrity  or 
availability.  To  the  right  are  safeguards  and  methods 
available  to  personnel  for  use  in  preventing  or 
counteracting  specific  threats.  For  example,  the  prob¬ 
ability  of  success  by  a  remote  hacker  would  be  mini¬ 
mized  by  effective  access  controls.  Insider  sabotage 
might  be  precluded  by  effective  personnel  security  and  a 
continuing  evaluation  program  that  deals  with  employee 
dissatisfaction  before  it  gets  out  of  hand. 

The  final  message  to  convey  to  the  audience  by  the 
security  educator  is  that  good  security  depends  upon 
everyone’s  involvement  and  support  in  the  process  and 
that  security  professionals  are  there  to  help,  advise  and 
assist,  rather  that  to  apprehend  or  catch  the  slacker. 


In  summary,  the  probability  of  success  in  selling 
the  above  four  arguments  to  employee  populations  will 
be  greatly  enhanced  by  fully  integrating  security  educa¬ 
tion  for  information  systems  into  the  comprehensive 
programs  for  security  education.  Partitioning  out  “com¬ 
puter  security”  as  an  esoteric  specialization  automat¬ 
ically  creates  a  barrier  to  rank  and  file  employee 
involvement  and  understanding.  Furthermore,  much 
depends  upon  the  educator’s  ability  to  accurately  define 
the  threat  to  information  systems  drawing  on  current 
and  authoritative  counterintelligence  reports  and  up-to- 
date  case  information  from  media  reports  and  other  sour¬ 
ces.  Experience  has  shown  that  what  our  personnel  pay 
attention  to  is  not  abstract  generalizations,  but  real  facts 
about  real  people  and  events  having  consequences  or 
payoffs  that  everyone  can  relate  to. 
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Courses  from  the  DoD  Security  Institute: 


Information  Systems 
Security  Basics  5220.22 


The  course  provides  practice  in  fundamental  computer  security  skills  to  support  the  protection  of  information 
and  information  systems  in  the  Department  of  Defense.  Given  modules  of  instruction,  practical  exercises,  a 
technical  laboratory  environment,  and  a  library  of  reference  materials,  the  student  will  be  able  to:  Explain 
the  threat  to  and  vulnerabilities  of  information  systems  and  employ  appropriate  security  countermeasures  to 
manage  threat  and  minimize  vulnerabilities;  identify  required  physical,  personnel,  and  procedural  security 
procedures  for  information  systems;  and  describe  the  elements  of  the  information  systems  accreditation 
process.  To  enhance  their  job  performance  in  the  workplace,  smdents  will  be  given  a  “Security  Information 
Technology  User’s  Package”  (SITUP),  a  collection  of  regulations,  references,  handbooks,  newsletters,  train¬ 
ing  aids,  and  agency  points-of-contact. 

Target  audience: 

Priority  1 :  DoD  personnel  assigned  or  projected  for  assignment  to  perform  the  following  information  sys¬ 
tems  support  functions  for  their  organization:  Preventing,  detecting,  and  eradicating  viruses;  auditing  infor¬ 
mation  systems;  evaluating  access  controls;  clearing  and  purging  of  media;  and  evaluating  accreditation 
plans. 

Priority  2:  Employees  of  other  federal  agencies  with  similar  duties  and  responsibilities  may  attend  the 
course  on  a  space  available  basis. 

Priority  3:  Policy  and  oversight,  inspection  and/or  audit,  and  other  personnel  functioning  in  support  of  the 
INFOSEC  mission. 


Required  personnel  security  clearance:  None 

Prerequisites:  Students  must  complete  and  will  be  evaluated  on  their  comprehension  of  reading  materials 
provided  to  them  before  class.  These  materials  identify  and  define  information  systems  technology  in  order 
to  establish  a  common  computer  literacy  baseline.  Due  to  course  design  and  time  constraints,  remedial  train¬ 
ing  is  not  available. 


To  register:  By  invitation  only.  Nominations  are  validated  through  Information  Systems  Security  program 
managers  at  component  or  agency  level.  Points  of  contact  for  registration  are: 


Air  Force 
Army 

Navy/USMC 

DISA 


Mark  Queener,  AFC4A,  Scott  AFB,  IL  (618)  256-2586/DSN  576-2586. 

Phyllis  Bailey,  DISC4,  Arlington,  VA  (703)  696-8061/DSN  226-8061. 

Raymond  Dohm,  NISE-EAST,  Washington,  DC  (202)  282-0702/DSN  292-0702 
Maria  Lewis,  DISA/UAI,  Ft  Richie,  MD  (301)  878-4678/DSN  277-4678. 


For  more  information  on  attendance  by  other  DoD  agencies/activities  or  on  course  content,  call  Christ  Breis- 
singer  (804)  279-3174/DSN  695-3174;  or  Linda  Braxton  (804)  279-6076/DSN  695-6076.  Fax  extension  is 
6155. 


Course  Dates: 
Apr  10-14, 1995 
May  15-19, 1995 


Jun  12-16, 1995 
Jul  10-14, 1995 
Aug  14-18, 1995 
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AIS 

Security  Procedures 
for  Industry  5220.10 


The  course  describes  the  security  requirements  to  be  implemented  by  Department  of  Defense 
(DoD)  contractors  who  process  classified  information  on  AIS.  The  discussion  of  computer 
technology  fundamentals  and  the  description  of  system  vulnerabilities  provide  insight  as  to  why 
certain  security  procedures  are  required.  The  duties  of  the  contractor  personnel  delegated  the 
AIS  security  responsibility  are  highlighted.  The  process  for  requesting  written  accreditation 
prior  to  processing  classified  information  is  addressed  including  a  description  of  the  security 
plans  and  procedures  which  must  be  written.  The  security  modes  of  operation  are  described  and 
the  types  of  system  events  that  must  be  documented  are  identified.  Additional  requirements 
discussed  include  those  pertaining  to  physical  security,  software  controls,  media  handling  and 
disposition,  maintenance,  audit  records,  and  network  security.  During  a  practical  exercise, 
students  review  the  security  plan  for  a  microcomputer  and  conduct  a  self-inspection  of  the 
system  to  assess  its  compliance. 


Target  audience:  U.S.  contractor  Facility  Security  Officers  (FSOs),  Information  Systems 
Security  Representatives  (ISSRs),  Security  Custodians  (SCs),  or  individuals  whose 
responsibilities  within  their  companies  include  overall  security,  AIS  security  for  the  FSO,  or  AIS 
security  for  Ae  ISSR.  Department  of  Defense  civilian  and  military  personnel  performing  in 
similar  positions  are  permitted  to  attend  on  a  space  available  basis. 

Required  personnel  security  clearance:  None 


Locations: 

Apr  9-12, 1996 

May  7-10, 1996 
Jun4-7, 1996 


Orlando,  FL 
Minneapolis,  MN 
San  Francisco 


Jun  25-28,  1996 
Jul  23-26, 1996 
Aug  13-16,  1996 


Scottsdale,  AZ 
Washington,  DC 
Ft  Walton  Bch,  FL 


Aug  20-23, 1996 
Sep  10-13, 1996 
Sep  17-20,  1996 


Los  Angeles,  CA 
Cherry  Hill,  NJ 
Detroit,  MI 


Prerequisites:  Must  read  the  Basics  Booklet  for  Information  Systems  Security. 


To  register:  Forward  nominations  to  the  DIS  regional  cognizant  security  office  hosting  the 
course,  or  call  any  of  the  following  regional  offices  for  information  concerning  the  sessions: 


Mid  Atlantic  Sector,  Cherry  Hill,  NJ  (609)  482-6509  x230 
New  England  Sector,  Boston,  MA  (617)  451-4918 
Capital  Area,  Alexandria,  VA  (703)  325-9634 
Southeast  Region,  Smyrna,  GA  (404)  432-0826 
Southwest  Sector,  Dallas,  TX  (214)  717-0888 
Midwest  Sector,  Chicago,  IL  (312)  886-7737 
Pacific  Region,  Long  Beach,  CA  (310)  595-7666 


When  this  course  is  taught  in  residence  at  DoDSI,  you  may  enroll  either  by  using  the  Student 
Information  and  Registration  Network  (SIRN)  or  submitting  the  enclosed  Registration  Form. 

For  more  information  on  course  content:  Call  Delmar  Kerr/Christ  Breissinger,  (804)  279- 
5309/3174,  DSN  695-5309/3174. 
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DoD  Security  Iiistitute 
8000  Jefferson  Davis  Hwy,  Bldg  33E 
Richmond,  Virginia  23297-5091 

Registration  Form 


Use  this  form  only  if  you  don’t  have  access  to  the  SIRN.  Please  print  or  type,  and  fill  in  all  applicable  information.  In 
addition  to  serving  as  a  permanent  record  of  your  registration,  a  class  roster  will  be  compiled  prior  to  class  from  the 
information  on  this  form.  If  you  have  questions,  call  the  Registrar  (804)  279-4891,  DSN  695-4891. 

Privacy  Act  Statement 

Authority:  5  USC  301  and  DoD  Directive  5105.42. 

Principal  Purpose  or  Purposes:  The  primary  purpose  served  by  DSI  Form  2021A  is  to  serve  as  a  permanent  enrollment  record. 
Social  security  number  (SSN)  is  required  to  distinguish  between  records  of  students  with  the  same  name. 

Routme  Uses:  DSI  Form  2021 A  is  routinely  used  as  an  alphabetical  index  and  locator  card  for  students  and  as  a  course  completion 
record. 

Disclosure:  Disclosure  of  information,  including  SSN,  is  voluntary.  Failure  to  provide  such  information  could  result  in  inaccurate 
records  of  students  with  same  name. 


Course  title 

Course  No, 

Course  dates 

SSN  Name  (Last)  (First)  (MI)  (subtitle:  Jr.,  m,  etc.) 

Position 

Mil/GS  Grade 

Agency/Activity  Code 
(see  reverse  for  codes) 

Birth  date 
MM/DDA^Y 

Sex  (circle) 

F  M 

Clearance  level  (circle) 

C  S  TS  None 

Duty  Station/Facility  address 

Job  Title/Name/Address  of  Supervisor 
(if  same  address  d) 

(city)  (state)  (zip) 

dsn  O  release  authorized  D.SN 

Commercial  No.  — - -  Commercial  No. 

Education  level  Years  in  security  field 

Years  as  adjudicator 

DoDSI  supports  the  Americans  with  Disabilities  Act  of  1990.  Attendees  with  special  needs  should  indicate  those 
needs  here,  or  call  (804)  279-4891,  DSN  695-4891. 


Attendance  approved  by  official?  (if  identified  in  the  course  description  sheet)  Yes  No 

FSO  Program  Management  course  Personnel  Security  Adjudications  course 

completed  -  completed _ (or  Basic  Equiv.  Test) 

month/year  month/year 

DSI  Form  2021 A/Jm  95 
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Agency/Activity  Codes 


Department  of  Defense 

DAF  Air  Force 

DAY  Army 

DAA  Defense  Contract  Audit  Agency 

DIO  Defense  Information  Services  Organization 

DSA  Defense  Information  Systems  Agency 

DIA  Defense  Intelligence  Agency 

DIS  Defense  Investigative  Service 

DLA  Defense  Logistics  Agency 

DMA  Defense  Mapping  Agency 

DNA  Defense  Nuclear  Agency 

DCR  Directorate  for  Industrial  Security  Clearance  Review 

DJS  Joint  Chiefs  of  Staff 

DJT  Joint  Command 

DMC  Marine  Corps 

DNS  National  Security  Agency 

DNY  Navy 

DSD  Secretary  of  Defense 

DoD  Other  Department  of  Defense 

Other  Government 

AID  Agency  for  International  Development 

OAG  Agriculture  Department 

OCM  Commerce  Department 

OED  Education  Department 

OEG  Energy  Department 

OEP  Environmental  Protection  Agency 

OFE  Federal  Emergency  Management  Agency 

OFG  Foreign  Government 

OGA  General  Accounting  Office 

OGS  General  Services  Administration 

OHS  Health  and  Human  Services  Department 

OIN  Interior  Department 

OIC  Intelligence  Community 

OJU  Justice  Department 

OLA  Labor  Department 

OLC  Library  of  Congress 

ONA  National  Aeronaudcs  and  Space  Administration 

OSF  National  Science  Foundation 

OTO  North  Atlantic  Treaty  Organization 

ONR  Nuclear  Regulatory  Commission 

OPM  Office  of  Personnel  Management 

OSB  Small  Business  Administration 

OST  State  Department 

OTP  Transportation  Department 

OTR  Treasury  Department 

OAC  U.S.  Arms  Control  and  Disarmament  Agency 

OCP  U.S.  Capitol  Police 

OIA  U.S.  Information  Agency 

OPS  U.S.  Postal  Service 

OSS  U.S.  Senate/House  of  Representatives 

OVA  Veterans  Affairs  Department 

SPB  Security  Policy  Board 

Private  Industry 
IND  Private  Industry 
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The  Security  Awareness  and  Education  Subcommittee 
proudiy  announces  the  reiease  of  a  new  video: 


As  Others  See  You 

Understanding  and  Reporting  Foreign  inteiligence  Threats 


Designed  with  the  scientist  in  mind  —  and  those  in  the  technical  community  who  safeguard 
critical  technologies,  sensitive  proprietary  data,  and  government  classified  information.  This 
video  shows  that  the  loss  of  this  information  can  weaken  our  national  security  and  dull  our 
economic  edge. 

In  this  dramatization,  we  meet  Dr.  Woolrich,  staff  scientist  from  a  U.S.  Government 
laboratory ,  who  is  confronted  by  five  foreign  admirers,  each  in  a  different  professional  role. 

Any  one  of  them,  despite  their  credentials,  could  in  reality  be  a  foreign  agent  or  an  undercover 
source  for  a  foreign  intelligence  service.  Which  one,  if  any,  is  the  agent?  The  audience  can  learn 
an  important  lesson  from  this  fictional  scientist,  especially  if  they  later  find  themselves  ap¬ 
proached  by  a  foreign  representative. 

Produced  for  the  SAES  by  the  Department  of  Energy’s  Office  of  Counterintelligence, 
with  the  assistance  of  Federal  agencies  represented  on  the  subcommittee.  Run  time:  16  minutes. 
To  obtain  a  1/2-inch  VHS  copy,  send  a  check  or  money  order  for  $9.95  to; 

CopyMaster  Video  Inc. 

P.O.  Box  684 

Department  1 5  Allow  2-3  weeks  for  delivery. 

Villa  Park,  IL  60181 

For  additional  information,  phone  CopyMaster  at  (708)  279-1276. 

^ch  copy  of  the  video  comes  with  an  18-page  presenter’s  guide  which  describes  specific  ob¬ 
jectives  for  awareness  programs  designed  to  prevent  the  loss  of  critical  technology. 
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You  Can  Host  These  Courses  On-site  at  Your  Facility 
(Industry  or  Government) 


Security  Briefers  Course  (SBC) 

522.13, 2.5  days 

Purpose:  To  improve  your  effectiveness  as  a 
security  education  briefer.  You  will  receive 
instruction  on  how  to: 

•  prepare  a  briefing  plan; 

•  design  and  use  brieifng  aids; 

•  present  your  briefings  in  a  clear  and 
interesting  manner;  and 

•  evaluate  live  briefings. 

As  the  "Security"  in  the  course  title  suggests, 
the  briefings  must  address  security 
requirements,  but  this  is  not  the  emphasis  of 
the  course.  The  course  emphasis  is  on 
accomplishing  the  objectives  listed  above  so 
that  you  become  more  skilled  and  more 
comfortable  at  speaking  in  front  of  others. 


Train-the-Trainer  Course  (TXT) 
522.13A,  4.5  days 

Purpose:  to  train  you  to  teach  the  SBC.  This 
workshop,  conducted  on  the  2  days  before  a 
scheduled  SBC,  prepares  you  to  be  an 
instructor  for  the  SBC.  You  will  receive 
instruction  by  DoDSI  staff  on  how  to: 
use  the  SBC  materials; 

•  present  selected  lessons  in  the  SBC; 

•  facilitate  the  preparation  of  briefings; 

•  conduct  practice  briefing  sessions;  and 

•  evaluate  live  briefings. 

Under  DoDSI  supervision,  you  will  then  spend 
the  next  2.5  days  teaching  your  first  SBC. 


If  you  are  considering  participating  in  the  TIT,  it  is  suggested  that  you:  be  responsible  for  your 
organization’s  security  briefing  program;  be  an  experienced  security  briefer  or  a  graduate  of  the  SBC; 
have  a  need  to  train  others  to  prepare  and  present  security  briefings;  and  have  a  working  knowledge  of 
security  requirements.  If  you  want  to  leam  how  to  brief —  choose  the  SBC. 

To  host  the  courses  described  above,  please  call  Linda  Braxton,  DoDSI  at  (804)  279-6076  or  DSN  695- 
6076. 

These  courses  are  held  in  succession.  The  TTT  precedes  the  SBC. 

To  host  the  SBC,  you  must  be  able  to  provide: 

□  one  main  classroom  for  24  students 

□  3  breakout  rooms  for  6  students  each 

□  A-V  equipment  for  all  4  rooms 

(Overhead  projectors,  screens,  and  writing  surfaces  for  each  room) 

□  At  least  two  of  the  instructors  and  preferably  more  for  the  TTT. 

□  An  on-site  coordinator 

□  Invitations  to  other  security  organizations  in  your  area  in  order  to  fill  a  class  of  24. 

The  Department  of  Defense  Security  Institute  (DoDSI)  will: 

Provide  the  lead  instructor  and  assume  responsibility  for  the  teaching  success  of  the  course. 

If  necessary,  provide  security  personnel  from  other  organizations  to  help  teach  the  course. 
Provide  two  full  days  of  training  for  the  instructors  prior  to  starting  the  course. 

^  Provide  the  instructional  materials  in  sufficient  quantities  for  24  students. 

Help  the  trainers  teach  the  Security  Briefers  Course. 
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Attention  Security  Educators,  here's  your  chance  to  sign  up  for  the: 

T  rain-the-T  rainer/Security 
Briefers  Course! 

Train-the-Trainer/Security  Briefers  Course  will  be  offered  at  the 
DoD  Security  Institute 
in  Richmond,  Virginia,  on  these  dates 

Train-the-Trainer  Security  Briefers  Course 

June  3-7,  1996  June  5-7,  1996 

September  9-13,  1996  September  11-13,  1996 

If  interested  in  attending  either  of  the  above  classes,  please  mail  us  the 
_ Registration  Form  on  the  last  page. 

or 

If  you’d  like  to  host  this  course,  call  Linda  Braxton  at  (804)  219-6016,  DSN  695-6076. 

In  addition  an  on-site  Security  Briefers  Course  is  being  taught: 

Dates  for  SBC:  August  7-9, 1996 

Sponsored  by:  Security  Awareness  &  Education  Subcommittee 

Where:  Commerce  Department,  Washington,  DC 

Point  of  contact:  Bob  McMenamin 

Phone:  (202)  622-1 120;  FAX  (202)  622-1056 
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3  new  job  aids  for  industry! 


STU-III  Accounting  Instructions 
(tips  for  tracking  your  STU-III) 


Top  Secret  Requirements  NATO  Classified  Information 

(based  on  the  ISM)  (quick  reference  guide) 


Easy  to  get ...  Easy  to  use 


Contact:  DoDSI 

Industrial  Security  Team 

8000  Jefferson  Davis  Hwy,  Bldg  33E 

Richmond,  VA  23297-5091 

or  call:  (804)  279-5257 
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The  Boeing  Hacker  Incident 


by  Rhonda  E.  MacLean,  Senior  Manager, 
Boeing  Computing  and  Communications  Security 


Background 

With  the  Cold  War  behind  us,  we  see  an  increasing 
focus  on  competitive  advantage  in  a  global  market. 

This  factor  is  currently  influencing  the  way  we  do  busi¬ 
ness  and  will  continue  to  do  so  for  the  foreseeable  fu¬ 
ture.  Corporations  are  beginning  to  recognize  the  value 
of  intellectual  property  and  its  overall  contribution  to 
maintaining  a  competitive  edge.  At  the  same  time,  cor¬ 
porations  are  using  automated  systems  to  further  ensure 
their  ability  to  compete  in  a  world  where  business  trans¬ 
actions  are  handled  in  micro  seconds  versus  weeks  or 
months. 

Computers  and  telephones  have  progressed  far  beyond 
boxes  on  a  desk,  and  are  now  gateways  to  business  high¬ 
ways.  Many  corporations  are  harnessing  the  latest  tech¬ 
nology,  enabling  them  unlimited  access  to  world-wide 
communication  networks  of  data,  voice  and  video.  The 
speed  at  which  technology  changes  are  faced  today  may 
pale  when  compared  to  the  pace  of  change  in  the  future. 
It  is  widely  accepted  that  increased  computer  usage  and 
computer  controlled  media  will  be  the  “norm”  for  busi¬ 
ness  transactions. 

Protecting  those  systems  and  the  information  contained 
on  them  is  being  reevaluated  by  many  corporations 
today  as  a  business  priority.  Unfortunately,  in  some 
cases,  the  shock  of  having  been  compromised  by  an  in¬ 
truder  is  necessary  to  gain  the  corporate  commitment  to 
ensure  that  protective  measures  are  in  place  and  sus¬ 
tained. 

Who’s  using  your  system? 


least  a  month  before  the  call  from  the  outside  suppher. 
Because  the  intruders  were  using  an  “authorized”  ac¬ 
count  which  was  not  being  actively  used  or  monitored 
by  the  account  owner,  the  unauthorized  activity  was  not 
noticed.  When  the  account  owner  subsequently 
received  his  monthly  computing  charges,  he  was 
surprised  to  see  the  amount  of  usage  logged  by  the  un¬ 
authorized  users. 

Further  investigation  revealed  the  intruders  gained  ac¬ 
cess  through  a  conventional  modem  and  off-the-shelf 
software  which  made  possible  rapid  sequential  dialing 
that  speeded  the  process.  Once  the  intruders  reached  a 
computer,  in  this  case  Boeing’s  computer,  the  rest  was 
easy.  They  went  on  to  steal  the  local  area  network 
password  files,  yielding  access  to  a  number  of  other 
valid  user  accounts.  Even  though  passwords  are 
encrypted,  password  cracking  software  made  easy  work 
of  revealing  the  necessary  passwords. 

Exacerbating  the  problem,  the  violated  computer  system 
had  established  “trusted”  network  connections  with 
other  computer  systems  inside  and  outside  the  Boeing 
Company.  [Once  having  successfully  gained  access  in 
one  network,  a  user  is  assumed  to  be  an  authorized  user 
by  other  networks  to  which  access  is  sought  through  the 
first  network.]  Taking  advantage  of  this  “trust,”  the  in¬ 
truders  were  also  able  to  gain  unauthorized  access  to 
other  commercial  industry,  government  agency,  and 
educational  systems.  We  immediately  notified  those  or¬ 
ganizations  and  quickly  established  an  agreement  to 
work  with  law  enforcement  to  apprehend  the  offenders. 


The  Boeing  Company  received  its  wake  up  call  in  Oc¬ 
tober  1992  when  one  of  its  major  computer  suppliers 
called  and  wanted  to  know  why  a  Boeing  account, 
belonging  to  a  manager  who  had  not  used  his  ID  num¬ 
ber  for  several  months,  was  suddenly  very  active.  In 
reviewing  the  system  logs,  it  was  easy  to  confirm  the 
user-ID  was  being  used  by  someone  who  was  not 
authorized. 

By  reviewing  previous  records,  we  were  able  to  deter¬ 
mine  the  unauthorized  activity  had  been  going  on  for  at 


Monitoring  the  crime  in  progress 

While  we  briefed  management  and  developed  an  inter¬ 
nal  strategy  on  the  situation,  the  activities  of  the  in¬ 
truders  were  being  continuously  monitored.  The 
recommendation  to  allow  the  intruders  to  continue  un¬ 
authorized  access  while  working  with  law  enforcement 
was  approved  with  the  provisions  that  if  any  “mali¬ 
cious”  activity  was  detected,  we  would  immediately 
close  the  door. 
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Concurrently,  we  put  together  a  response  team  com¬ 
prised  of  computing  security  specialists,  technology  sup¬ 
port  persons,  and  computing  security  representatives 
from  each  operating  division.  This  team  met  daily  to 
review  current  activity  and  to  plan  the  next  steps.  This 
team,  together  with  the  response  processes  they 
developed,  would  later  provide  the  basis  for  developing 
an  internal  computer  emergency  response  team. 

The  company  Computing  &  Communications  Security 
Organization  took  the  lead  in  coordinating  the  internal 
activity  as  well  as  interfacing  with  law  enforcement 
agencies.  In  addition,  the  company’s  legal  repre¬ 
sentative  was  instrumental  in  assisting  the  group  and  in 
working  with  law  enforcement  agencies.  We  kept  the 
size  of  the  response  team  to  a  minimum  and  each  mem¬ 
ber  was  advised  to  maintain  confidentiality.  The  objec¬ 
tive  was  containment  while  minimizing  the  risk  of 
“tipping  our  hands”  to  the  intruders. 

Senior  managers  were  briefed  daily  as  to  the  intruders’ 
activity.  Each  day  management  discussed  and  reviewed 
the  decision  to  leave  the  access  open  or  to  begin  closing 
the  door.  In  addition,  we  briefed  our  senior  pubhc  rela¬ 
tions  executive  who  would  have  to  deal  with  the  news 
media  once  the  activity  became  public.  This  proved  to 
be  an  important  element  later  in  the  case. 

It’s  become  a  Federal  case 

Although  we  initially  contacted  the  Federal  Bureau  of 
Investigation  (FBI),  it  was  unclear  which  law  enforce¬ 
ment  agency  would  actually  have  authority  in  this  case. 
We  felt  confident  that  both  state  and  federal  computer 
trespass  laws  would  apply.  Therefore  discussions  were 
also  held  with  city  and  county  police  departments 
having  jurisdiction  where  the  equipment  was  located. 
Resolution  as  to  jurisdiction  came  only  after  careful 
review  of  additional  evidence  and  discussions  with  the 
law  enforcement  agencies  on  the  range  of  laws  being 
violated. 

During  review  of  the  activity,  Boeing  investigators  deter¬ 
mined  the  intruders  were  using  Boeing  computing 
resources  primarily  to  crack  passwords.  One  very  im¬ 
portant  password  file  the  intruders  moved  to  the  Boeing 
system  (in  order  to  crack  it),  was  found  to  belong  to  the 
United  States  District  Court  for  the  Western  District  of 
Washington  located  in  Seattle,  Washington.  The  in¬ 
truders  had  successfully  broken  several  passwords  and 
gained  access  to  the  court’s  computer.  It  was  primarily 
this  fact  that  resulted  in  the  FBI’s  jurisdiction  in  this 
case  (felony  violation  of  Title  18,  USC  Section  371, 
“Conspiracy  to  Defraud  the  United  States  Government”). 


The  level  of  concern  and  the  stakes  were  substantially 
raised  once  the  intruders  had  shown  interest  in  the 
federal  court’s  computer.  The  information  it  contains  is 
considered  extremely  sensitive  and  its  compromise 
could  have  had  very  serious  ramifications.  If  the  in¬ 
trusion  had  been  confined  to  only  one  company’s  com¬ 
puting  system,  it  is  unclear  if  the  case  would  have  been 
considered  serious  enough  for  any  prosecution  to  have 
taken  place. 

Finding  the  Culprits 

At  this  point  there  was  still  no  clue  as  to  who  the  in¬ 
truders  were  or  where  they  might  be  operating  from. 
The  FBI  asked  the  U.S.  District  judge  for  a  court  order 
to  allow  the  placement  of  a  pen  trap  on  the  Boeing  tele¬ 
phone  line  to  obtain  the  telephone  number  being  used  to 
access  Boeing’s  systems.  The  proved  to  be  more  dif¬ 
ficult  than  anticipated  and  resulted  in  an  important  les¬ 
son  learned. 

The  unforeseen  problem  came  as  a  result  of  Boeing’s 
log-on  message,  presented  any  time  a  user  is  initializing 
access.  The  log-on  banner  notified  users  that  it  is  a 
private  computing  system  restricted  to  authorized  in¬ 
dividuals  and  that  actual  or  attempted  unauthorized  use 
would  result  in  criminal  and  civil  prosecution.  How¬ 
ever,  the  banner  failed  to  notify  persons  attempting  ac¬ 
cess  that  the  company  reserved  the  right  to  review, 
monitor  and  record  without  notice  or  permission.  Addi¬ 
tionally,  the  log-on  banner  did  not  say  that  information 
obtained  by  such  monitoring,  review  or  recording  was 
subject  to  review  by  law  enforcement  in  connection 
with  the  investigation  or  prosecution  of  possible 
criminal  activity  on  the  system.  In  spite  of  this  deficien¬ 
cy,  the  court  allowed  a  trap  to  be  placed.  It  is  unknown 
if  this  would  have  proved  damaging  had  the  case  gone 
to  trial. 

Nonetheless,  those  missing  items  in  our  log-on  banner 
cost  several  days  delay  in  obtaining  the  court  order. 
Creating  further  delay  was  the  fact  that  the  phone  com¬ 
pany  was  unable  to  accommodate  the  request  for  a  trap 
in  a  timely  manner  due  to  lack  of  resources.  They  were 
working  higher  priority  cases,  and  because  ours  did  not 
involve  personal  endangerment,  we  had  to  wait.  After  a 
week  of  waiting  and  applying  pressure  from  all  possible 
sources  on  the  phone  company,  the  trap  was  at  last  in¬ 
stalled.  Once  it  was  in  place,  a  telephone  number  was 
obtained  and  traced  through  telephone  company  records 
to  a  dormitory  phone  at  a  local  university.  At  the  same 
time,  a  recording  device  was  installed  that  recorded  the 
hackers’  activity.  Other  than  password  cracking,  their 
other  main  interest  centered  on  reading  the  e-mail  of 
Boeing  system  users.  At  this  point  it  didn’t  take  long 
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for  the  FBI  through  their  investigative  efforts  to  identify 
the  two  hackers. 

Time  to  Close  the  Door 

By  this  time  over  two  weeks  had  gone  by  and  the 
decision  was  made  to  go  ahead  “quietly”  with  the 
recovery  part  of  our  plan.  Although  we  wanted  to  begin 
closing  our  door,  we  knew  this  could  tip  them  off.  In 
order  to  prove,  without  a  doubt,  who’s  hands  and  faces 
were  behind  the  computer,  it  was  imperative  to  catch  the 
intruders  in  the  act.  We  felt  that  even  though  the  risk 
was  low  that  every  password  had  been  cracked  on 
Boeing’s  system,  we  decided  to  take  no  chances.  We 
started  by  distributing  a  number  of  security  software 
tools  to  system  administrators  and  by  asking  them  to 
reset  all  passwords  on  their  systems.  Consequently,  our 
plan  required  us  to  ask  system  administrators  to  bring 
down  production  computer  systems.  This  assured  clos¬ 
ing  down  the  intruders’  access.  The  administrators 
needed  executive  management’s  approval  to  bring  down 
production  systems  for  password  resetting.  To  obtain 
this  approval,  we  decided  to  have  key  executives  in  each 
division  sign  a  letter  authorizing  our  system  ad¬ 
ministrators  to  follow  designated  instructions  to  bring 
down  the  systems.  The  letter  also  emphasized  to  ad¬ 
ministrators  the  extremely  sensitive  nature  of  the  issue 
and  they  were  advised  not  to  discuss  it  with  anyone. 

Here  we  learned  another  hard  lesson. 

These  memos  turned  out  to  be  a  strategic  error.  While 
they  were  hand  delivered  to  only  a  very  few  people,  it 
took  less  than  an  hour  before  someone  in  the  company 
faxed  the  letter  to  a  local  radio  and  TV  station.  Before 
the  close  of  business,  it  had  hit  the  local  news.  By  early 
evening,  national  news  agencies  had  begun  to  pick  up 
the  story.  We  felt  fortunate  that  we  had  previously 
briefed  our  public  relations  executives  so  they  were 
prepared  to  handle  the  situation. 

Arrests  and  Indictments 

The  premature  disclosure  that  someone  was  “breaking 
into  Boeing’s  computers,”  forced  Boeing  and  law  enfor¬ 
cement  to  change  their  plans  immediately.  Obviously, 
our  plan  to  synchronize  the  arrest  with  the  FBI  was  com¬ 
promised.  Their  agents  were  forced  to  switch  quickly  to 
plan  “B.”  Arrests  of  the  two  hackers  were  made  the  fol¬ 
lowing  week,  and  a  full  confession  was  obtained.  They 
were  charged  with  a  felony,  “Conspiracy  to  Defraud  the 
United  States  Government.”  As  is  typical  in  these 
cases,  the  hackers  were  initially  quite  proud  of  what 
they  had  done  and  consequently  were  more  than  happy 
to  show  how  smart  they  had  been.  Both  had  prior 
records  for  theft  of  computer  equipment. 


In  February  1993,  the  charges  were  plea  bargained  to  a 
misdemeanor,  violation  of  the  “Computer  Fraud  and 
Abuse  Act  of  1986.”  In  June  1993  the  hackers  were  sen¬ 
tenced  to  250  hours  of  community  service,  5  years 
probation,  and  $30,000  in  restitution  ($28,000  to 
Boeing).  Since  the  closing  of  this  case,  both  individuals 
have  been  re-arrested  for  violation  of  parole  for  the  theft 
of  credit  card  numbers  and  cellular  phone  fraud. 

In  many  ways  our  intruders  were  typical  of  nondestruc¬ 
tive  hackers.  Their  method  of  operation  was  to  “net¬ 
work  navigate”  (a  “hacker”  term  used  to  describe  a 
game  whose  objective  is  to  see  how  many  computers 
they  can  access  and  browse  through). 

A  call  to  openness  and  prevention 

Traditionally  the  potential  theft  of  competitive  informa¬ 
tion  has  been  the  objective  in  providing  a  level  of  “due 
care.”  However,  the  integrity  and  availability  of  the  in¬ 
formation  to  legitimate  users  is  also  a  major  considera¬ 
tion  in  abating  risk.  Hackers  who  “network  navigate,” 
or  browse,  are  of  concern  not  only  because  they  are 
stealing  company  time  on  computers,  but  because  they 
may  inadvertently  compromise  the  “integrity”  of  the  in- 
fonnation.  In  some  cases  an  unauthorized  intruder  can 
totally  disable  a  computing  or  telephone  system,  conse¬ 
quently  denying  service  for  authorized  users.  This  is 
not  just  a  mere  inconvenience.  The  real  costs  to  the 
company  are  measured  in  terms  of  lost  production  and 
lost  revenue. 

As  the  technology  and  the  automated  business  environ¬ 
ment  evolves,  we  see  an  alarming  trend  in  which  com¬ 
puter  and  communication  system  intrusions  are  the  basis 
for  criminal  activities  and/or  monetary  gain.  There  is  a 
significant  difference  between  the  adolescent  prankster 
and  the  criminal  who  has  virtually  unlimited  access  to 
corporate  and  government  information.  This  change  has 
happened  so  rapidly  that  many  managers  and  corporate 
executives  are  unaware  of  the  threat.  It  is  especially  dif¬ 
ficult  to  quantify  the  threat  in  tangible  terms  because 
current  statistics  are  unreliable,  and  in  many  cases,  un¬ 
available. 

Just  how  bad  is  it  out  there? 

At  a  recent  conference  of  information  technology  secu¬ 
rity  managers,  the  attendees  were  asked  if  their  com¬ 
panies  had  been  violated  by  hackers.  Roughly  one-third 
of  the  audience  raised  their  hands.  Secondly,  about  ten 
percent  stated  they  had  not,  to  their  knowledge,  been 
violated  by  hackers.  Subsequently,  the  question  was  ex¬ 
panded  to  ask  how  many  of  their  companies  would  not 
admit  to  whether  or  not  they  have  been  violated.  The 
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much  larger  portion  of  the  group  indicated  an  affirm¬ 
ative  answer  to  this  question,  demonstrating  further  the 
reluctance  of  many  companies  to  disclose  this  type  of  in¬ 
formation. 

Unfortunately,  as  demonstrated  above,  some  company 
management  will  not  admit  their  systems  have  been  vio¬ 
lated.  They  often  fear  they  are  exposing  corporate  vul¬ 
nerabilities  of  their  own  negligence  in  failing  to  exercise 
“due  care.”  In  addition,  the  specter  of  civil  liability  may 
preempt  some  corporations  from  notifying  other  victims 
who  may  be  affected  by  the  admitted  penetration.  In¬ 
creasingly  though,  many  companies  are  realizing  that  it 
is  in  their  best  interest  to  be  conscientious  and  to  view 
cooperative  disclosure  as  being  a  “good  business 
citizen.” 

The  law  in  this  area  appears  to  have  been  set  up  primari¬ 
ly  to  protect  government  and  government  related  in¬ 
dustry,  but  not  industry  as  a  whole.  This  complicates 
the  ability  of  private  industry  and  legal  authorities  to 
adequately  deal  with  these  crimes.  Tracking  informa¬ 
tion  technology  crimes  back  to  a  human  perpetrator  in 
real-time  is  a  challenge  the  legal  community  must  ad¬ 
dress.  Furthermore,  we  need  people  working  on  these 
cases  who  are  both  technically  competent  and  able  to 
present  to  lay  jurors  these  technically  complex  cases  in 
easily  understood  terms.  With  these  challenges,  in¬ 
dustry  and  government  must  increase  their  training  and 
support  for  improved  security  policy  and  tools. 


The  role  of  security  education 

Boeing  began  its  computing  security  program  back  in 
the  early  ‘80s  focusing  on  security  for  critical  systems. 
During  the  last  decade,  increased  emphasis  has  been 
placed  on  this  program  and  now  every  computing  sys¬ 
tem  within  Boeing  is  required  to  do  an  annual  security 
self-assessment.  This  program  has  made  great  strides  in 
the  area  of  prevention  and  detection.  But  as  we  learned 
from  this  case,  there  are  those  whose  determination  can 
outwit  the  best  of  prevention  and  detection  methods. 
Employee  awareness  is  one  of  the  strategic  defenses 
against  such  attacks.  In  1992,  Boeing  corporate  comput¬ 
ing  board  approved  a  plan  requiring  all  users  of  com¬ 
pany  computers  to  attend  an  annual  security  awareness 
briefing.  These  briefings  are  designed  to  educate  em¬ 
ployees  on  the  threat,  what  to  look  for,  and  their  role  in 
protecting  our  systems  and  information.  The  briefers 
also  emphasize  the  importance  of  information  security 
to  our  company’s  long-term  competitiveness.  We  see 
our  awareness  activity  as  the  cornerstone  to  a  good  secu¬ 
rity  program. 

In  conclusion,  government  and  private  industry  must 
begin  communicating  openly  about  the  threat  and  shar¬ 
ing  their  experiences.  The  resulting  synergy  will  only 
strengthen  our  ability  to  address  these  issues  in  the  fu¬ 
ture  and  protect  America’s  economy  and  technological 
advantage. 


Hands-on  STU-III  Training 


is  available  from  the 
GSA  INFOSEC  Training  Center 
in  Kansas  City,  MO 

Courses  are  offered  in  Kansas  City,  Washington  DC,  and  San  Francisco 
and  may  be  presented  at  your  location. 

For  information  contact: 

GSA  INFOSEC  Training  Center 
Registrar’s  Office 
1500  East  Bannister  Road 
Kansas  City,  MO  64131-3087 


(806)  926-7682 
DSN:  465-7682 
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Have  you  heard  about  the 


Center  for  Security  Awareness  Information? 

The  Department  of  Defense  Security  Institute  (DoDSI)  announces  the  1  April  1995  inauguration  of  the 
Center  for  Security  Awareness  Information. 

What  exactly  is  this  center  all  about? 

The  Center’s  mission  is  to  involve  the  security  community,  both  government  agencies  and  industry,  in 
sharing  products  and  information  to  maintain  and  improve  security  awareness  throughout  the  community. 
DoDSI  will  serve  as  the  focal  point  for  the  center. 

How  do  you  get  involved? 

We  ask  that  you  submit  for  consideration  security  products  or  information  that  you  or  your  company  have 
developed.  Our  task  is  to  make  the  security  community  aware  of  these  products  and  ideas.  If  you  know  about 
an  excellent  product  that  you  believe  could  or  should  be  shared  with  the  security  community,  tell  us  about  it! 
We  will  follow-up.  Through  the  mutual  sharing  of  information  and  products,  the  whole  security  community 
benefits.  Please  get  involved! 

How  is  this  going  to  be  accomplished? 

Security  products  referred  to  the  DoDSI,  will  be  reviewed  and  evaluated.  We  will  then  publish  information 
about  these  products  in  the  Security  Awareness  Bulletin,  the  Quarterly  Center  for  Security  Awareness 
Information  Report,  and  other  publications.  Where  appropriate,  a  point  of  contact  for  obtaining  the  product 
will  be  given.  In  some  cases,  DoDSI  will  provide  products  directly.  Ultimately,  we  hope  to  provide  some 
materials  via  the  Internet  as  well  as  by  paper  copy. 

What  types  of  security  products  and  information  can  you  share? 

We  are  interested  in  non-profit  products  for  evaluation  and  broader  distribution,  however  we  will  list 
commercial  products  separately  in  the  quarterly  report.  Here  are  just  a  few  examples  of  products  and 
information  you  may  consider  submitting  for  review  and  evaluation:  Videotapes,  CAI/CBT  software, 
computer  games,  computer  graphics,  computer  slideshows,  computer  text  files,  films,  information  literature, 
job  aids  (paper  products  or  software),  manuals  and  handbooks,  posters,  print  media  inserts, 
promotional/miscellaneous  items,  quizzes  and  puzzles  (paper  or  software),  ready  reference  items,  slide/tape 
sets,  slides  and  slide  sets,  scripts  and  outlines,  or  services  that  your  company  is  providing  in  the  security  field. 

Is  there  a  fee  for  submitting  these  products  or  information  to  the  Center? 

No,  but  we  will  ask  each  submitter,  where  appropriate,  to  sign  a  short  release  statement  that  gives  us 
permission  to  reproduce  and  distribute  the  product. 

Whom  do  we  call  to  submit  or  discuss  our  security  products  and  information? 

Call  Del  Carrell,  Manager  of  the  Center,  at  (804)  279-5314  or  DSN  695-5314.  Or  write  her  at: 

Department  of  Defense  Security  Institute 
Attn:  Del  Carrell 

8000  Jefferson  Davis  Highway,  Bldg.  33E 
Richmond,  VA  23297-5091 
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Army  Correspondence  Course  Enrollment  Application 

For  use  of  this  form,  see  DA  PAM  351  -20:  The  proponent  agency  is  TRADOC. 


DATE 


AUTHORITY; 
PRINCIPAL  PURPOSE: 
ROUTINE  USES: 

DISCLOSURE: 


DATA  REQUIRED  BY  THE  PRIVACY  ACT 


1 0  use  301 2  (B)  and  (G).  '  ~  - 

To  obtain  information  necessary  by  Army  schools  to  administer  student  participation  in  the  Army  Correspondence  Course  Program 
Used  by  Army  schools  to  obtain  basic  data  needed  to  determine  eligibility  for  enrollment,  process  applications,  maintain  student 
records,  and  perform  all  other  administrative  functions  inherent  in  student  administration. 

Mandatory.  Failure  to  provide  this  information  could  result  in  the  applicant  not  being  able  to  participate  in  the  program. 


Submit  one  copy.  See  instructions  on  back  page.  Fill  in  all  blocks  (except  shaded  blocks  which  are  for  school  use). 


1.  Student  SSN 


2.  Primary  MOS/Duty  MOS 


3.  CIV-SERIES 


5.  ASI/SQI  6.  Branch  7.  DSN  (Telephone) 


4.  AOC  Duty  Position 


9.  Rank/Civ  Grade 


10.  Component  11.  RYE  Date  Month 


COMM  (Telephone) 

8. 

Group  Number 

15.  Course  Number 


Code 

Day 

[abbreviate) 

□ 

□ 

□ 

13.  Enrollment 


17.  Unit  Identification  Code 


18.  Subcourse  Exemption 


1 

ii 

16.  RepQtv 

j.wd 

1 9.  I  REQUEST  ENROLLMENT  IN:  (Course  Title,  MOS  if  applicable  or  subcourses  desired). 
(Do  not  list  individual  subcourses  if  you  are  enrolling  in  a  course). 


NOTE:  If  you  were  previously  enrolled  in  this  course,  indicate  date  of  termination  of  enrollment.  _ 

Are  you  currently  enrolled  in  the  ACCP?  _ YES  _  NO 

20.  To.  (School  address,  including  ZIP  Code)  The  Army  Institute  for  Professional  Development 

U.S.  Army  Training  Support  Center 
Newport  News,  VA  23628-9989 

THRU:  (Unit  to  which  assigned) 

21.  Title  of  approving  official 


Unit  Address  Line  1  Unit  Designation  (May  not  be  left  blank.) 


Unit  Address  Une  2  P.O.  Box  or  Street  (May  be  left  blank.) 

L 

L 

Unit 

Addrt 

— 

5SS  Lj 

ne  3  City,  Post  or  APO/FPO 

State  or  AE/AP/AA 

Zip  +4 

i: 

I 

c 

□ 

r 

22. 

r^  A  r 

FROM:  (Mailing  address  to  which  subcourses  are  to  be  sent) 

Ust  Name  First  Name  Middle  Initial 

L 

□ 

Student  Address  Line  1  Unit  Designation  or  P.O.  Box  or  Street  (Mav  not  be  left  blank ) 

Student  Address  Line  2  P.O.  Box  or  Street  (if  not  given  on  Student  Address  Line  1) 

_ 

J 

_ 

Stude 

— 

mt  Ac 

Id  res 

Une  3  City,  Post,  or  APO/FPO 

State  or  AE/AP/AA 

Zip  +  4 

□ 

□ 

11 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

□ 

DA  FORM  145,  JAN  92  REPLACES  EDITIONS  OF  DEC  75  AND  MAY  83,  WHICH  ARE  OBSOLETE 


SCHOOL 


ARMY  SCHOOL  COURSES  AND  CORRESPONDENCE  COURSES  COMPLETED 

TITLES  OF  RESIDENT  OR  NONRESIDENT  COURSES  OR  INDIVIDUAL  SUBCOURSES  COMPLETED 


DATES 


_ _ Commander  will  verify  the  above  from  personnel  records  or  soldier's  individual  records. 

24.  I  have  reviewed  DA  PAM  351-20,  and  understand  the  eligibility  requirements  that  I  must  maintain  to  sustain  my  enrollment  in  this  course. 

I  further  understand  that  assistance  is  not  authorized  when  completing  subcourse  test. 

Signature  of  Applicant  _ _ 

ment  irTthfsToufse  objectives  and  prerequisite  enrollment  requirements  in  DA  PAM  351  -20  and  determined  the  applicant  is  eligible  for  enroll- 
Unit  Cdr  or  other  approving  officer 

Name  (printed  or  typed)  _ _ _ _ _ 

Signature 

DA  PAM 351-20 contains  information  pertaining  to  enrollment  qualifications, 
submission  of  application  and  courses  available. 

INSTRUCTIONS  TO  APPLICANT 

Example  belcw)'^*^  pnnting  only  in  areas  that  are  not  shaded.  The  shaded  areas  are  used  for  data  entry.  Enter  only  one  character  per  block 
1.  Student  SSN _  9  Rank/Civ  Grade 


ITEM  1.  SSN  Foreign  students  must  leave  blank. 

ITEM  2.  Student's  PMOS  (Primary  MOS)  and  DMOS  (Duty  MOS).  Enter  numeric  and  alpha  identifiers. 
ITEM  3.  Civ-Series  number  (for  example  1702). 

ITEM  4.  AOC  Area  of  Concentration  or  Duty  Position.  Submit  information  required  to  qualify  for  enrollr 

ITEM  9.  RANK:  RA  warrant  offinerK  and  finlictoH  norcnnnal  tuKu-t  hnM  _ i 


ITEM  10. 


ITEM  11 


Civ-Series  number  (for  example  1702). 

AOC  Area  of  Concentration  or  Duty  Position.  Submit  information  required  to  qualify  for  enrollment. 

RANK:  RA  warrant  officers  and  enlisted  personnel  who  hold  a  reserve  commission  and  are  enrolling  in  officer  career  development 
courses  must  enroll  in  their  reserve  capacity.  ^ 

Component  Code:  Student  categories:  Enter  one  of  the  following  as  appropriate: 


02 

Active  Duty 

09 

USAR  ENL 

15 

FGN  CIV 

03 

RA/AUS  ENL 

10 

NGUS  ENL 

16 

USAF 

06 

RET  MILITARY 

12 

NDCC/ROTC/JR 

17 

USN 

07 

USAR  OFF/WO 

13 

FGN  MIL 

18 

USCG 

08 

NGUS  OFF/WO 

14 

U.S.  CIV 

19 

USMC 

20  CADET 

31  IRR  (OFF) 

32  IRR  (ENL) 

33  NAF  (VOL) 


RYE  Date  (Retirernent  Year  Ending  Date):  USAR  and  NG  applicants  not  on  active  duty  must  enter  the  anniversary  date  of  their 

retirement  veer  endmn  He\y  and  mnnth  ^ 


retirement  year  ending  day  and  month. 

Where  to  maii  application: 


oT  address  of  school  with  whom  you  are  seeking  enrollment,  e.g.,  Academy 

of  Health  Science.  The  Judge  Advocate  General  s  School,  Army  Logistics  Management  College,  the  Army  Institute  for  Professional  Development,  etc. 


REVERSE  OF  DA  FORM  145 


A  New  Point  of  Contact  for  Security  Professionals 


introducing  the 


Center  for  Information  Systems  Security  (CiSS) 


5113  Leesburg  Pike,  Suite  400 
Falls  Church,  Virginia  22041-3230 
Phone  number:  (703)  756-7960,  DSN  289-7960 
Fax:  (703)  756-7949 

Goa! 

The  CISS  goal  is  to  create  and  manage  a  unified,  fully  in¬ 
tegrated  information  systems  security  program  for  ail 
Defense  Information  Infrastructure  (Dll)  systems. 

Mission 

CISS  is  a  focal  point  for  assuring  availability,  integrity 
and  confidentiality  of  Dll  Automated  Information  Systems 
(AIS)  information.  The  Center  has  the  responsibility  to 
provide  a  unified  Information  systems  security  policy 
and  architecture  for  all  Dll  information  systems.  CISS 
also  supports  policy  and  architecture  implementation, 
and  provides  direct  Information  Systems  Security  (IN- 
FOSEC)  support  to  Dll  programs.  A  key  effort  for  CISS  is 
to  define  requirements  for  Dll  INFOSEC  standards  and 
protocols.  CISS  also  expedites  Multilevel  Security  (MLS) 
implementation,  and  provides  central  coordination  and 


reporting  for  response  to  all  DoD  INFOSEC  incidents. 

Scope 

The  scope  of  operations  for  the  Center  for  Information 
Systems  Security  includes; 

'>  Execution  of  the  Defense  Information  Systems  Secu¬ 
rity  Program  (DISSP)  missions  and  functions. 


CISS  Is  a  Joint  DISA/NSA  organization  charged  to  ex¬ 
ecute  centrally  managed  INFOSEC  functions  within  the 
DoD,  Starting  In  1990  as  the  Defense  Information  Sys¬ 
tems  Security  Program  (DISSP),  this  organization  was 
elevated  to  a  new  Center  within  the  DISA  under  the  Joint 
Interoperability  and  Engineering  Organization  (JIEO). 
CISS  executes  DISSP,  MLS,  and  other  DISA  missions 
and  functions.  The  CISS  Director,  Mr.  Robert  Ayers,  is 
the  Director  of  DISSP,  and  COL  John  Sheldon  serves 


>  Execution  of  the  DoD  MLS  mission, 

>  Support  to  the  Assistant  Secretary  of  Defense/Com¬ 
mand,  Control,  Communications,  and  Intelligence 
(ASD/C31). 


as  the  Program  Manager  of  the  MLS  Program.  This  in¬ 
crease  in  organizational  posture  highlights  the  expanded 
importance  of  INFOSEC  in  the  DoD. 
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Directorates  &  Functions 

INFOSEC  Policy,  Plans,  &  Programs 

Provides  recommendations  to  ASD/C3I  concerning 
DoD  INFOSEC  program  fiscal  review,  program 
monitoring,  and  program  prioritization. 

Manages  the  government-wide  INFOSEC  Omnibus 
Contract. 

>  Prepares  economic  and  cost  analyses  and  business 
cases  associated  with  Center  and  DoD  INFOSEC. 

>  Supports  ASD/C3I  in  developing  INFOSEC  policy, 
directives,  and  regulations  for  DoD. 

>  Develops  and  maintains  a  comprehensive  INFOSEC 
awareness  program. 

Architecture  and  Engineering  Directorate 

>  Ensures  Dll  programs  implement  DoD  Goal  Security 
Architecture. 

>  Develops  security  architectures  for  the  Dll. 

>  Develops  INFOSEC  transition  plans  for  Dll  implemen¬ 
tation. 

>  Performs  configuration  management  of  Dll  architec¬ 
ture. 

>  Recommends  INFOSEC  AIS/Technology  standards. 

>  Maintains  the  DoD  Goal  Security  Architecture 

Evaluation,  Certification,  and  Accreditation 
Directorate 

>  Creates  a  focal  point  in  DoD  for  life  cycle  security  sup¬ 
port  for  major  automated  information  systems.  These 
systems  include  the  DoD  business  mission  area,  the 
Defense  Message  System  (DMS),  and  other  critical  in¬ 
formation  systems  that  support  the  Dll. 

>  Develops,  implements,  and  manages  uniform  security 
certification  and  accreditation  procedures  for  clas¬ 
sified  and  unclassified  DoD  Information  systems. 

>  Performs  security  certification  of  DoD  Mega-Data 
Centers. 


>  Establishes  a  program  to  ensure  DoD  Information 
Systems  are  operated  and  maintained  in  accordance 
with  their  accreditation. 

Security  Products  Program  Directorate 

>  Maintains  a  database  of  INFOSEC  products  and  re¬ 
quirements. 

>  Consolidates  defense  community  INFOSEC  product 
requirements  and  needs. 

Ensures  the  application  of  INFOSEC  products  and 
services  to  DoD  Information  Systems’  programs. 

>  Maintains  technology  transfer  program  with  govern¬ 
ment  and  industry. 

Professionalization  Directorate 

>■  Incorporates  customer  requirements  into  the  IN¬ 
FOSEC  Professionalization  Program. 

Develops  and  coordinates  an  INFOSEC  professional 
career  development  program  for  DoD. 

V  Standardizes  execution  of  INFOSEC  education  and 
training  throughout  the  DoD. 

Multilevel  Security  Directorate 

>  Plans  and  coordinate  DoD  MLS  projects  and  initia¬ 
tives. 

>"  Assesses  MLS  products  and  technology  for  use  in 
DoD  information  systems. 

V  Supports  fielding  and  implementation  of  MLS  capabil¬ 
ities  at  high-priority  commands. 

>"  Identifies  MLS  technology  and  product  requirements. 

>"  Provides  a  set  of  MLS  solutions  for  widespread 
deployriient.  Examples  include: 

>  Operations/Intelligence  Interface, 

>  Two-level  Workstations, 

>  Worldwide  Military  Command  and  Control  System 
(WWMCCS)  Guard, 

>  Releasibility  Guard  (underdevelopment), 

V  Secure  E-mail  Guard  (underdevelopment). 


Security  Awareness  Bulletin 


26 


Number  2-94 


INFOSEC  Countermeasures  Directorate 

>  Establishes  a  program  to  develop  and  incorporate  IN¬ 
FOSEC  countermeasures  into  the  Dll. 

>  Conducts  a  Vulnerabilities  Analysis  and  Assistance 
Program  (VAAP)  for  DoD  AISs. 

>•  Disseminates  threat  information 
provided  by  the  intelligence  com¬ 
munity  to  DoD  elements. 

>■  Operates  an  Automated  Information 

Systems  Security  Incident  Support  Team  (ASSIST). 

ASSIST  Program 

ASSIST  is  the  action  arm  of  the  DoD  responding  to  IN¬ 
FOSEC  incidents  worldwide,  24  hours  a  day.  ASSIST 

can  be  reached  during  normal  business  hours  at  (703) 


756-7974,  DSN  289-7974;  or  at  any  time  of  day  by  dial¬ 
ing  1 -800-SKY-PAGE  or  (800)  759-7243;  and  entering 
PIN  2133937.  Follow  the  prompts  and  enter  the  call  back 
number.  If  immediate  assistance  is  needed,  preface  the 
call  back  number  with  999,  and  the  duty  officer  will  call 
back  within  5  minutes. 


Subscriptions  to  DISSPATCH,  the  Center  for  Informa¬ 
tion  Systems  Security’s  INFOSEC  newsletter,  may  be  or¬ 
dered  by  faxing  a  request  to  the  attention  of 
“Newsletter/TGA”  at  fax  (703)  756-7949,  or  by  calling 
(703)  756-7944,  DSN  289-7944. 


A(jvanced  ln(dustrial  Security 
Management  Course 
Hits  the  Road! 


DoDSI  recently  presented  the  Advanced  Industrial  Security  Management 
Course  in  Reston,  Virginia,  at  the  LOGICON  Inc. 
facility.  The  responses  from  the  attendees  were  extremely  complimen¬ 
tary,  due  in  large  part  to  our  host  LOGICON.  The  classrooms  they 
provided  (as  well  as  the  coffee)  greatly  added  to  the  success  of  the 
course.  We’d  like  to  thank  Diane,  Marcie,  and  Dora  for  all  their  help. 

We  plan  on  offering  the  AISMC  in  the  field  next  fiscal  year.  If  your  com¬ 
pany  would  be  interested  in  sponsoring  it  at  one  of  your  facilities,  please 
call  Paul  McCray  on  (804)  279-4759. 
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Security  Awareness  Publications  Available  from  the  Institute 


Publications  are  free.  Just  check  the  titles  you  want  and  send  this  form  to  us  with  your 

DoD  Security  Institute 
Attn:  SEAT 

Our  address  is:  8000  Jefferson  Davis  Hwy,  Bldg  33E 

Richmond,  VA  23297-5091 

(804)  279-5314/4223  or  DSN  695-5314/4223 


address  label 


Q  Recent  Espionage  Cases:  Summaries  and  Sources.  July  1994.  Eighty-five  cases,  1975  through  1994. 
“Thumb-nail”  summaries  and  open-source  citations. 

Ql  Announcement  of  Products  and  Resources.  March  1996.  A  catalog  of  security  education  videos, 
publications,  posters,  and  more  you  can  order. 

Q  DELIVER!  Easy-to-follow  pamphlet  on  how  to  transmit  and  transport  your  classified  materials.  Written 
specifically  for  the  Department  of  Defense  employee.  September  1 992. 

Q  Terminator  VIII.  Requirements  for  destruction  of  classified  materials.  Written  specifically  for  the  Department  of 
Defense  employee.  September  1992. 

Q  STU-III  Handbook  for  Industry.  To  assist  FSOs  of  cleared  defense  contractors  who  require  the  STU-III,  Type  1 
unit.  Covers  step-by-step  what  you  need  to  know  and  do  to  make  the  STU-III  a  valuable  addition  to  your  facility’s 
operations. 

Q  Survival  Handbook.  The  basic  security  procedures  necessary  for  keeping  you  out  of  trouble.  Written 
specifically  for  the  Department  of  Defense  employee.  April  1995. 

Q  Layman’s  Guide  to  Security.  The  basic  security  procedures  that  you  should  be  aware  of  when  handling 
classified  materials  in  your  work  environment.  May  1995. 

Q  Acronyms  and  Abbreviations.  Twelve  pages  of  security-related  acronyms  and  abbreviations  and  basic 
security  forms.  October  1995. 

Q  Take  A  Security  Break.  Questions  and  answers  on  security  and  other  topics. 

Q  Take  Another  Security  Break.  More  questions  and  answers. 

d  Lock  Up!  A  pamphlet  on  the  structural  standards  and  other  security  requirements  for  the  storage  of 
conventional  arms,  ammunition,  and  explosives.  August  1995. 


Security  Awareness  Bulletin.  A  quarterly  publication  of  current  security  countermeasures  and  counterintelligence 
developments,  training  aids,  and  education  articles.  Back  issues  available  from  the  Institute: 

d  The  Case  of  Randy  Miles  Jeffries  (2-90) 

d  Beyond  Compliance  -  Achieving  Excellence  in  Industrial  Security  (3-90) 
d  Foreign  Intelligence  Threat  for  the  1990s  (4-90) 
d  Regional  Cooperation  for  Security  Education  (1-91) 
d  AIS  Security  (2-91) 
d  Economic  Espionage  (1-92) 
d  OPSEC  (3-92) 

d  What  is  the  Threat  and  the  New  Strategy?  (4-92) 
d  Acquisition  Systems  Protection  (1-93) 
d  Treaty  Inspections  and  Security  (2-93) 
d  Research  on  Espionage  (1-94) 
d  Information  Systems  Security  (2-94) 
d  Acquisition  Systems  Protection  Program  (3-94) 
d  Aldrich  H.  Ames  Espionage  Case  (4-94) 

d  Revised  Self-Inspection  Handbook/Summary  of  NISPOM  Changes  (1-95) 
d  The  Threat  to  U.S.  Technology  (2-95) 
d  Entering  a  New  Era  in  Security  (1-96) 
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